CVE-2025-12633 Overview
CVE-2025-12633 affects the Booking Calendar | Appointment Booking | Bookit plugin for WordPress through version 2.5.0. The plugin exposes a REST API endpoint at /wp-json/bookit/v1/commerce/stripe/return that lacks a capability check [CWE-862]. Unauthenticated attackers can invoke this endpoint to connect their own Stripe account to the target site and redirect future payment flows. The flaw was patched in version 2.5.1 of the plugin.
Critical Impact
Unauthenticated attackers can hijack the site's Stripe payment configuration by linking their own Stripe account, redirecting customer payments away from the legitimate site owner.
Affected Products
- Booking Calendar | Appointment Booking | Bookit plugin for WordPress, versions up to and including 2.5.0
- Fixed in Bookit version 2.5.1
- WordPress sites running the vulnerable plugin with Stripe integration available
Discovery Timeline
- 2025-11-12 - CVE-2025-12633 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12633
Vulnerability Analysis
The Bookit plugin registers a REST route at /wp-json/bookit/v1/commerce/stripe/return used during the Stripe Connect onboarding flow. The handler in src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php did not validate that the caller had administrative privileges. As a result, any unauthenticated HTTP client could invoke the endpoint and submit Stripe Connect parameters. The endpoint persists the supplied Stripe account identifier into plugin configuration, replacing the legitimate site owner's payout destination.
This is a missing authorization issue rather than an authentication bypass. WordPress REST routes must declare a permission_callback that enforces capability checks. When that callback returns true unconditionally or defers checks to caller logic, the endpoint is reachable by anonymous users. The Bookit patch in version 2.5.1 adds the required capability validation before processing return parameters.
Root Cause
The root cause is an absent capability check on a state-changing REST endpoint. The permission_callback for the Stripe return handler did not require manage_options or an equivalent administrative capability, violating WordPress REST API security guidance.
Attack Vector
An attacker sends a crafted HTTP request to the public REST endpoint over the network, supplying their own Stripe Connect account identifier. The plugin stores the attacker-controlled identifier as the site's payment destination. No authentication, user interaction, or prior access is required. The vulnerability impacts integrity of payment configuration; subsequent customer bookings route funds to the attacker. See the WordPress Change Log Entry for the corrective code change.
Detection Methods for CVE-2025-12633
Indicators of Compromise
- Unexpected POST or GET requests to /wp-json/bookit/v1/commerce/stripe/return from anonymous or unknown source IP addresses
- Changes to the Bookit Stripe Connect account identifier in wp_options without a corresponding administrator session
- Customer reports of completed bookings where funds did not arrive in the site owner's Stripe account
- Bookit plugin version reporting 2.5.0 or earlier in the WordPress plugins inventory
Detection Strategies
- Inspect web server access logs for requests targeting the bookit/v1/commerce/stripe/return REST path and correlate with authentication state.
- Audit WordPress option values related to Bookit Stripe configuration and alert when the connected account identifier changes.
- Compare installed Bookit plugin versions against the fixed 2.5.1 release across all managed WordPress instances.
Monitoring Recommendations
- Forward WordPress and web server logs to a central analytics platform and alert on unauthenticated hits to /wp-json/bookit/* endpoints.
- Monitor outbound webhook traffic to api.stripe.com for account linkage events that do not originate from administrator activity.
- Track plugin file integrity for Return_Endpoint.php and related Stripe gateway files to detect tampering.
How to Mitigate CVE-2025-12633
Immediate Actions Required
- Update the Bookit plugin to version 2.5.1 or later on every affected WordPress site.
- Review the currently connected Stripe account in the Bookit settings and disconnect any account not owned by the site operator.
- Rotate Stripe API keys and revoke unauthorized Stripe Connect authorizations through the Stripe dashboard.
- Reconcile recent booking transactions against expected payouts to identify financial loss.
Patch Information
The vendor fixed CVE-2025-12633 in Bookit 2.5.1 by adding a capability check to the Stripe return REST endpoint. The code change is documented in the WordPress Change Log Entry and summarized in the Wordfence Vulnerability Report.
Workarounds
- Deactivate the Bookit plugin until the 2.5.1 update can be applied if immediate patching is not possible.
- Block unauthenticated requests to /wp-json/bookit/v1/commerce/stripe/return at the web application firewall or reverse proxy.
- Restrict access to the WordPress REST API for unauthenticated users where business logic permits.
# Example WAF rule to block unauthenticated access to the vulnerable endpoint (nginx)
location ~ ^/wp-json/bookit/v1/commerce/stripe/return {
if ($http_cookie !~ "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
